From 5e3662000e32864bc163ad24b2c7e87cdec8bd97 Mon Sep 17 00:00:00 2001 From: Jeremy Liu Date: Thu, 9 Feb 2017 18:19:15 +0800 Subject: [PATCH] Maintain policy in code This patch adds the basic framework for registering and using default policy rules. Rules should be defined and returned from a module in barbican/common/policies/, and then added to the list in barbican/common/policies/__init__.py. Also adds tox env to generate policy sample file. Change-Id: If25b17ae7eed3f1a8e8e6f29701552a39d5a603f --- .gitignore | 3 + barbican/common/policies/__init__.py | 43 +++++++++++ barbican/common/policies/acls.py | 38 +++++++++ barbican/common/policies/base.py | 77 +++++++++++++++++++ barbican/common/policies/cas.py | 51 ++++++++++++ barbican/common/policies/consumers.py | 43 +++++++++++ barbican/common/policies/containers.py | 37 +++++++++ barbican/common/policies/orders.py | 31 ++++++++ barbican/common/policies/quotas.py | 29 +++++++ barbican/common/policies/secretmeta.py | 29 +++++++ barbican/common/policies/secrets.py | 41 ++++++++++ barbican/common/policies/secretstores.py | 33 ++++++++ barbican/common/policies/transportkeys.py | 29 +++++++ barbican/common/policies/versions.py | 23 ++++++ etc/oslo-config-generator/policy.conf | 3 + ...slopolicy-genscripts-1a7b364b8ffd7c3f.yaml | 8 ++ setup.cfg | 3 + tox.ini | 3 + 18 files changed, 524 insertions(+) create mode 100644 barbican/common/policies/__init__.py create mode 100644 barbican/common/policies/acls.py create mode 100644 barbican/common/policies/base.py create mode 100644 barbican/common/policies/cas.py create mode 100644 barbican/common/policies/consumers.py create mode 100644 barbican/common/policies/containers.py create mode 100644 barbican/common/policies/orders.py create mode 100644 barbican/common/policies/quotas.py create mode 100644 barbican/common/policies/secretmeta.py create mode 100644 barbican/common/policies/secrets.py create mode 100644 barbican/common/policies/secretstores.py create mode 100644 barbican/common/policies/transportkeys.py create mode 100644 barbican/common/policies/versions.py create mode 100644 etc/oslo-config-generator/policy.conf create mode 100644 releasenotes/notes/oslopolicy-genscripts-1a7b364b8ffd7c3f.yaml diff --git a/.gitignore b/.gitignore index 8abe6e01a..fc7745cb2 100644 --- a/.gitignore +++ b/.gitignore @@ -71,6 +71,9 @@ ChangeLog etc/barbican/barbican.conf etc/barbican/barbican.conf.sample +# File created by oslopolicy-sample-generator +etc/barbican/policy.yaml.sample + # Files created by releasenotes build releasenotes/build diff --git a/barbican/common/policies/__init__.py b/barbican/common/policies/__init__.py new file mode 100644 index 000000000..0d7653891 --- /dev/null +++ b/barbican/common/policies/__init__.py @@ -0,0 +1,43 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import itertools + +from barbican.common.policies import acls +from barbican.common.policies import base +from barbican.common.policies import cas +from barbican.common.policies import consumers +from barbican.common.policies import containers +from barbican.common.policies import orders +from barbican.common.policies import quotas +from barbican.common.policies import secretmeta +from barbican.common.policies import secrets +from barbican.common.policies import secretstores +from barbican.common.policies import transportkeys +from barbican.common.policies import versions + + +def list_rules(): + return itertools.chain( + acls.list_rules(), + base.list_rules(), + cas.list_rules(), + consumers.list_rules(), + containers.list_rules(), + orders.list_rules(), + quotas.list_rules(), + secretmeta.list_rules(), + secrets.list_rules(), + secretstores.list_rules(), + transportkeys.list_rules(), + versions.list_rules(), + ) diff --git a/barbican/common/policies/acls.py b/barbican/common/policies/acls.py new file mode 100644 index 000000000..41a2e34ac --- /dev/null +++ b/barbican/common/policies/acls.py @@ -0,0 +1,38 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + + +rules = [ + policy.RuleDefault('secret_acls:put_patch', + 'rule:secret_project_admin or ' + 'rule:secret_project_creator'), + policy.RuleDefault('secret_acls:delete', + 'rule:secret_project_admin or ' + 'rule:secret_project_creator'), + policy.RuleDefault('secret_acls:get', + 'rule:all_but_audit and ' + 'rule:secret_project_match'), + policy.RuleDefault('container_acls:put_patch', + 'rule:container_project_admin or ' + 'rule:container_project_creator'), + policy.RuleDefault('container_acls:delete', + 'rule:container_project_admin or ' + 'rule:container_project_creator'), + policy.RuleDefault('container_acls:get', + 'rule:all_but_audit and rule:container_project_match'), +] + + +def list_rules(): + return rules diff --git a/barbican/common/policies/base.py b/barbican/common/policies/base.py new file mode 100644 index 000000000..9b5500d48 --- /dev/null +++ b/barbican/common/policies/base.py @@ -0,0 +1,77 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + + +rules = [ + policy.RuleDefault('admin', + 'role:admin'), + policy.RuleDefault('observer', + 'role:observer'), + policy.RuleDefault('creator', + 'role:creator'), + policy.RuleDefault('audit', + 'role:audit'), + policy.RuleDefault('service_admin', + 'role:key-manager:service-admin'), + policy.RuleDefault('admin_or_user_does_not_work', + 'project_id:%(project_id)s'), + policy.RuleDefault('admin_or_user', + 'rule:admin or project_id:%(project_id)s'), + policy.RuleDefault('admin_or_creator', + 'rule:admin or rule:creator'), + policy.RuleDefault('all_but_audit', + 'rule:admin or rule:observer or rule:creator'), + policy.RuleDefault('all_users', + 'rule:admin or rule:observer or rule:creator or ' + 'rule:audit or rule:service_admin'), + policy.RuleDefault('secret_project_match', + 'project:%(target.secret.project_id)s'), + policy.RuleDefault('secret_acl_read', + "'read':%(target.secret.read)s"), + policy.RuleDefault('secret_private_read', + "'False':%(target.secret.read_project_access)s"), + policy.RuleDefault('secret_creator_user', + "user:%(target.secret.creator_id)s"), + policy.RuleDefault('container_project_match', + "project:%(target.container.project_id)s"), + policy.RuleDefault('container_acl_read', + "'read':%(target.container.read)s"), + policy.RuleDefault('container_private_read', + "'False':%(target.container.read_project_access)s"), + policy.RuleDefault('container_creator_user', + "user:%(target.container.creator_id)s"), + policy.RuleDefault('secret_non_private_read', + "rule:all_users and rule:secret_project_match and " + "not rule:secret_private_read"), + policy.RuleDefault('secret_decrypt_non_private_read', + "rule:all_but_audit and rule:secret_project_match and " + "not rule:secret_private_read"), + policy.RuleDefault('container_non_private_read', + "rule:all_users and rule:container_project_match and " + "not rule:container_private_read"), + policy.RuleDefault('secret_project_admin', + "rule:admin and rule:secret_project_match"), + policy.RuleDefault('secret_project_creator', + "rule:creator and rule:secret_project_match and " + "rule:secret_creator_user"), + policy.RuleDefault('container_project_admin', + "rule:admin and rule:container_project_match"), + policy.RuleDefault('container_project_creator', + "rule:creator and rule:container_project_match and " + "rule:container_creator_user"), +] + + +def list_rules(): + return rules diff --git a/barbican/common/policies/cas.py b/barbican/common/policies/cas.py new file mode 100644 index 000000000..4998cc10b --- /dev/null +++ b/barbican/common/policies/cas.py @@ -0,0 +1,51 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + + +rules = [ + policy.RuleDefault('certificate_authorities:get_limited', + 'rule:all_users'), + policy.RuleDefault('certificate_authorities:get_all', + 'rule:admin'), + policy.RuleDefault('certificate_authorities:post', + 'rule:admin'), + policy.RuleDefault('certificate_authorities:get_preferred_ca', + 'rule:all_users'), + policy.RuleDefault('certificate_authorities:get_global_preferred_ca', + 'rule:service_admin'), + policy.RuleDefault('certificate_authorities:unset_global_preferred', + 'rule:service_admin'), + policy.RuleDefault('certificate_authority:delete', + 'rule:admin'), + policy.RuleDefault('certificate_authority:get', + 'rule:all_users'), + policy.RuleDefault('certificate_authority:get_cacert', + 'rule:all_users'), + policy.RuleDefault('certificate_authority:get_ca_cert_chain', + 'rule:all_users'), + policy.RuleDefault('certificate_authority:get_projects', + 'rule:service_admin'), + policy.RuleDefault('certificate_authority:add_to_project', + 'rule:admin'), + policy.RuleDefault('certificate_authority:remove_from_project', + 'rule:admin'), + policy.RuleDefault('certificate_authority:set_preferred', + 'rule:admin'), + policy.RuleDefault('certificate_authority:set_global_preferred', + 'rule:service_admin'), +] + + +def list_rules(): + return rules diff --git a/barbican/common/policies/consumers.py b/barbican/common/policies/consumers.py new file mode 100644 index 000000000..e36024b2d --- /dev/null +++ b/barbican/common/policies/consumers.py @@ -0,0 +1,43 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + + +rules = [ + policy.RuleDefault('consumer:get', + 'rule:admin or rule:observer or rule:creator or ' + 'rule:audit or rule:container_non_private_read or ' + 'rule:container_project_creator or ' + 'rule:container_project_admin or ' + 'rule:container_acl_read'), + policy.RuleDefault('consumers:get', + 'rule:admin or rule:observer or rule:creator or ' + 'rule:audit or rule:container_non_private_read or ' + 'rule:container_project_creator or ' + 'rule:container_project_admin or ' + 'rule:container_acl_read'), + policy.RuleDefault('consumers:post', + 'rule:admin or rule:container_non_private_read or ' + 'rule:container_project_creator or ' + 'rule:container_project_admin or ' + 'rule:container_acl_read'), + policy.RuleDefault('consumers:delete', + 'rule:admin or rule:container_non_private_read or ' + 'rule:container_project_creator or ' + 'rule:container_project_admin or ' + 'rule:container_acl_read'), +] + + +def list_rules(): + return rules diff --git a/barbican/common/policies/containers.py b/barbican/common/policies/containers.py new file mode 100644 index 000000000..643f14116 --- /dev/null +++ b/barbican/common/policies/containers.py @@ -0,0 +1,37 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + + +rules = [ + policy.RuleDefault('containers:post', + 'rule:admin_or_creator'), + policy.RuleDefault('containers:get', + 'rule:all_but_audit'), + policy.RuleDefault('container:get', + 'rule:container_non_private_read or ' + 'rule:container_project_creator or ' + 'rule:container_project_admin or ' + 'rule:container_acl_read'), + policy.RuleDefault('container:delete', + 'rule:container_project_admin or ' + 'rule:container_project_creator'), + policy.RuleDefault('container_secret:post', + 'rule:admin'), + policy.RuleDefault('container_secret:delete', + 'rule:admin'), +] + + +def list_rules(): + return rules diff --git a/barbican/common/policies/orders.py b/barbican/common/policies/orders.py new file mode 100644 index 000000000..0772ad2e4 --- /dev/null +++ b/barbican/common/policies/orders.py @@ -0,0 +1,31 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + + +rules = [ + policy.RuleDefault('orders:post', + 'rule:admin_or_creator'), + policy.RuleDefault('orders:get', + 'rule:all_but_audit'), + policy.RuleDefault('order:get', + 'rule:all_users'), + policy.RuleDefault('order:put', + 'rule:admin_or_creator'), + policy.RuleDefault('order:delete', + 'rule:admin'), +] + + +def list_rules(): + return rules diff --git a/barbican/common/policies/quotas.py b/barbican/common/policies/quotas.py new file mode 100644 index 000000000..c31652c82 --- /dev/null +++ b/barbican/common/policies/quotas.py @@ -0,0 +1,29 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + + +rules = [ + policy.RuleDefault('quotas:get', + 'rule:all_users'), + policy.RuleDefault('project_quotas:get', + 'rule:service_admin'), + policy.RuleDefault('project_quotas:put', + 'rule:service_admin'), + policy.RuleDefault('project_quotas:delete', + 'rule:service_admin'), +] + + +def list_rules(): + return rules diff --git a/barbican/common/policies/secretmeta.py b/barbican/common/policies/secretmeta.py new file mode 100644 index 000000000..f78c721ec --- /dev/null +++ b/barbican/common/policies/secretmeta.py @@ -0,0 +1,29 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + + +rules = [ + policy.RuleDefault('secret_meta:get', + 'rule:all_but_audit'), + policy.RuleDefault('secret_meta:post', + 'rule:admin_or_creator'), + policy.RuleDefault('secret_meta:put', + 'rule:admin_or_creator'), + policy.RuleDefault('secret_meta:delete', + 'rule:admin_or_creator'), +] + + +def list_rules(): + return rules diff --git a/barbican/common/policies/secrets.py b/barbican/common/policies/secrets.py new file mode 100644 index 000000000..e756bbc8e --- /dev/null +++ b/barbican/common/policies/secrets.py @@ -0,0 +1,41 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + + +rules = [ + policy.RuleDefault('secret:decrypt', + 'rule:secret_decrypt_non_private_read or ' + 'rule:secret_project_creator or ' + 'rule:secret_project_admin or ' + 'rule:secret_acl_read'), + policy.RuleDefault('secret:get', + 'rule:secret_non_private_read or ' + 'rule:secret_project_creator or ' + 'rule:secret_project_admin or ' + 'rule:secret_acl_read'), + policy.RuleDefault('secret:put', + 'rule:admin_or_creator and ' + 'rule:secret_project_match'), + policy.RuleDefault('secret:delete', + 'rule:secret_project_admin or ' + 'rule:secret_project_creator'), + policy.RuleDefault('secrets:post', + 'rule:admin_or_creator'), + policy.RuleDefault('secrets:get', + 'rule:all_but_audit'), +] + + +def list_rules(): + return rules diff --git a/barbican/common/policies/secretstores.py b/barbican/common/policies/secretstores.py new file mode 100644 index 000000000..81a3c7770 --- /dev/null +++ b/barbican/common/policies/secretstores.py @@ -0,0 +1,33 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + + +rules = [ + policy.RuleDefault('secretstores:get', + 'rule:admin'), + policy.RuleDefault('secretstores:get_global_default', + 'rule:admin'), + policy.RuleDefault('secretstores:get_preferred', + 'rule:admin'), + policy.RuleDefault('secretstore_preferred:post', + 'rule:admin'), + policy.RuleDefault('secretstore_preferred:delete', + 'rule:admin'), + policy.RuleDefault('secretstore:get', + 'rule:admin'), +] + + +def list_rules(): + return rules diff --git a/barbican/common/policies/transportkeys.py b/barbican/common/policies/transportkeys.py new file mode 100644 index 000000000..d9bab4e2d --- /dev/null +++ b/barbican/common/policies/transportkeys.py @@ -0,0 +1,29 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + + +rules = [ + policy.RuleDefault('transport_key:get', + 'rule:all_users'), + policy.RuleDefault('transport_key:delete', + 'rule:admin'), + policy.RuleDefault('transport_keys:get', + 'rule:all_users'), + policy.RuleDefault('transport_keys:post', + 'rule:admin'), +] + + +def list_rules(): + return rules diff --git a/barbican/common/policies/versions.py b/barbican/common/policies/versions.py new file mode 100644 index 000000000..df6b14571 --- /dev/null +++ b/barbican/common/policies/versions.py @@ -0,0 +1,23 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + + +rules = [ + policy.RuleDefault('version:get', + '@') +] + + +def list_rules(): + return rules diff --git a/etc/oslo-config-generator/policy.conf b/etc/oslo-config-generator/policy.conf new file mode 100644 index 000000000..8fffdef34 --- /dev/null +++ b/etc/oslo-config-generator/policy.conf @@ -0,0 +1,3 @@ +[DEFAULT] +output_file = etc/barbican/policy.yaml.sample +namespace = barbican diff --git a/releasenotes/notes/oslopolicy-genscripts-1a7b364b8ffd7c3f.yaml b/releasenotes/notes/oslopolicy-genscripts-1a7b364b8ffd7c3f.yaml new file mode 100644 index 000000000..35a4f886d --- /dev/null +++ b/releasenotes/notes/oslopolicy-genscripts-1a7b364b8ffd7c3f.yaml @@ -0,0 +1,8 @@ +--- +features: + - Maintain the policy rules in code and add an oslo.policy CLI script + in tox to generate policy sample file. + + The script can be called like + "oslopolicy-sample-generator --config-file=etc/oslo-config-generator/policy.conf" + and will generate a policy.yaml.sample file with the effective policy. diff --git a/setup.cfg b/setup.cfg index 5164f6184..d0f81c52f 100644 --- a/setup.cfg +++ b/setup.cfg @@ -28,6 +28,9 @@ dogtag = dogtag-pki>=10.3.5.1 # LGPLv3+ [entry_points] +oslo.policy.policies = + barbican = barbican.common.policies:list_rules + console_scripts = barbican-manage = barbican.cmd.barbican_manage:main barbican-db-manage = barbican.cmd.db_manage:main diff --git a/tox.ini b/tox.ini index da517db61..a93eab5ac 100644 --- a/tox.ini +++ b/tox.ini @@ -124,5 +124,8 @@ commands = sphinx-build -a -E -W -d install-guide/build/doctrees -b html install deps = bindep commands = bindep test +[testenv:genpolicy] +commands = oslopolicy-sample-generator --config-file=etc/oslo-config-generator/policy.conf + [hacking] local-check-factory = barbican.hacking.checks.factory